Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Help Removing Malware

LordOfBones

Posted 14 September 2015 - 12:32 AM

LordOfBones

New Member

Member

4 posts

Hello everyone,

So the other day I was downloading some stuff for Arma 3 and I came accross an infected file that I downloaded and installed. It infected my computer with Malware and now my computer installs optimizers, toolbars and other random programs on my computer. I attempted to follow a couple of guides and tutorials posted on here but they only seemed to supress the malware for a small amount of time. I currently have FRST, JDW, OTL and JRE currently installed. For some reason ComboFix does not work on my PC despite running as admin (I currently run Win8.) it says that my OS isn't supported. So I know the drill, below are my initial FRST Scans and my System Specs. Any and all help is greatly appreciated. I know this is on your own time.

System errors:
=============
Error: (09/13/2015 10:30:29 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.4.
The computer with the IP address 192.168.1.5 did not allow the name to be claimed by
this computer.

Error: (09/13/2015 09:39:03 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.4.
The computer with the IP address 192.168.1.5 did not allow the name to be claimed by
this computer.

Error: (09/10/2015 07:35:42 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056

Error: (09/10/2015 07:35:12 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (09/10/2015 07:35:12 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Management Service service terminated unexpectedly. It has done this 1 time(s).

Error: (09/10/2015 07:35:12 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SoftThinks Agent Service service terminated unexpectedly. It has done this 1 time(s).

Date: 2015-05-18 13:08:55.445
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:55.317
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:55.161
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:55.041
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:54.917
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:54.793
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:54.669
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:54.541
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-05-18 13:08:54.389
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\wow64.dll because the set of per-page image hashes could not be found on the system.

Advertisements

Nevan

Posted 14 September 2015 - 07:37 AM

Hello, LordOfBones. Welcome to Geeks to Go! My nickname is Nevan and I will be helping you getting your system back on its electronic feet.

Before we get started, please keep these things in mind:

Always read every part of my post carefully. If you don't, you may do something wrong and there could be more problems to solve.

If your security programs give you any warnings when using tools I asked you to, don't be afraid. Every tool I provide to you is 100% safe.

Only run tools that I ask you to. Some of them can be dangerous to your system as they have much power.

You shouldsave or print my instructions. It is possible that we will be using Safe mode, which will cut you off from your internet connection and without access to them, you might be stuck.

Malware removal is a complicated process that takes multiple steps to be completed. Don't give up, be patient.

The tools we are going to use and your software may cause unwanted interactions. Because of that, I recommend you to make backups of any important files from your machine before proceeding as they might be lost.

I recommend you to stay with me until I tell you that we are done. It is important because when your system does not show any bad symptoms anymore it does not mean that it is 100% clean.

Your time to reply is limited. If you don't reply within 3 days, your topic will be closed and you will have to request it to be reopened by contacting one of Moderator group members with the link to this topic.

Every program I ask you to download should be saved to and run from desktop. If you don't know how to choose the direction of where a download is saved, check this site. You can also just copy these programs to your desktop manually and then run them from there.

Remember that the fixes I give you are only for your machine. Using it on other systems may (and probably will) cause problems.

Finally, if you have any questions or are unsure about something, just ask. I will not blame you for it. It is better to ask rather than regret it later.

Let's get started

One thing to note before we start.

P2P Warning

I've noticed that you have or have had a P2P (Peer-to-Peer) file sharing program on your machine:

BitTorrent

It is important to stay away from them as they are used to share pirated material. The programs themselves can be safe, but majority of the files shared through them is infected.

Some of things to keep in mind when using P2P programs:

Your computer is more likely to get infected with malware, which will result in coming back to our or other forums for help.

You may have your important data stolen, including passwords, photos or personal information.

You help to share pirated material, which may result in arrest, fines, or even jail time for illegal downloads of copyrighted material.

If I still didn't convince you, please read these short reports about how dangerous it can be to use P2P programs:

Whether you remove them or not is your decision. Though I strongly recommend you to uninstall your P2P programs as they most likely will cause problems in the future.

If you choose not to remove them, please refrain from using them until we are done on cleaning your computer.

Step #1 FRST Fix

I've noticed that you ran FRST64.exe from the FixIts folder. Please move it to your Desktop. You can do it by right-clicking FRST64.exe, click Cut, then move to Desktop, right-click any free space and click Paste.

Download attached fixlist.txt file to your desktop.fixlist.txt9.01KB102 downloadsNOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Right click FRST64.exe on your desktop and click Run as administrator.

Press the Fix button just once and wait.NOTE: It's important that both FRST64.exe and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished, FRST will generate a log on the desktop (Fixlog.txt). Select all (CTRL+A) the content of the log, copy it (CTRL+C) and paste (CTRL+V) it into your next reply.

Step #2Command Prompt

Click Start>type cmd in the Search Box>right-click the cmd program that appears on the list and click Run as Administrator.

In the window that appears, type the following:

sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll

then click Enter. Let the program finish it's operation.

Make sure that you reboot your computer after the process.

Step #3Uninstalling programs

Go to Start Menu>Control Panel>Programs>Uninstall a program (or Control Panel>Programs and Features if using icon view) and remove the following programs:

Consumer Input Update Helper

Itibiti RTC

Things that should appear in your next post:

Fixlog.txt log content

Please tell me if you have successfully uninstalled all the programs I've asked you to remove

Nevan

Posted 14 September 2015 - 02:15 PM

On step three I rebooted and Intibiti RTC program was back on the desktop. Also in step four there was no Consumer Input Update Helper in the programs list either.

There were only three steps in my post. What do you mean by step four?

Also, do these problems with malware still happen?

WARNING! You have no antivirus program installed on your machine. It is important to have one (and only one!), as this is your first line of defense. Antivirus program scans the files that you are currently using, downloading or opening. If it finds something suspicious, it prevents the loading of it, not allowing you to run it and protecting you from malicious software.Personally I can recommend two free Antivirus programs: Avast and Microsoft Security Essentials. Remember to use the official website which you can access by clicking the names of the Antiviruses I've mentioned.

Things that should appear in your next post:

Answers to my two questions

Please tell me if you have successfully installed an Antivirus program

LordOfBones

Posted 14 September 2015 - 03:22 PM

LordOfBones

New Member

Topic Starter

Member

4 posts

Apologies, didnt realise that I was ahead a step. I meant after step 2 I rebooted and the Itibiti program came back after log in. This was the only occurence of the malware continuing. After step 2's reboot I went ahead with step 3 and deleted Itibiti and another driver recovery program that was installed from the malware. Since then I have not noticed any issues. As for the anti-virus I installed Avast.